Skip to main content

LDAP with ASP.Net Identity Core in MVC with project.json

Lightweight Directory Access Protocol (LDAP), the name itself explain it. An application protocol used over an IP network to access the distributed directory information service.

The first and foremost thing is to add references for consuming LDAP. This has to be done by adding reference from Global Assembly Cache (GAC) into project.json

 "frameworks": {  
  "net461": {  
   "frameworkAssemblies": {  
    "System.DirectoryServices": "4.0.0.0",  
    "System.DirectoryServices.AccountManagement": "4.0.0.0"  
   }  
  }  
 },

These System.DirectoryServices and System.DirectoryServices.AccountManagement references are used to consume LDAP functionality.

It is always better to have an abstraction for irrelevant items in consuming part. For an example, the application does not need to know about PrincipalContext or any other dependent items from those two references to make it extensible. So, we can begin with some basic interface implementation which suits us.

 public interface IActiveDirectory<TUser>  
   where TUser : IdentityUser  
 {  
   /// <summary>  
   /// Finds the user by identity asynchronously.  
   /// </summary>  
   /// <param name="userId">The user id.</param>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns>User information.</returns>  
   Task<TUser> FindByIdentityAsync(string userId, CancellationToken cancellationToken = default(CancellationToken));  
   /// <summary>  
   /// Gets the user roles asynchronously.  
   /// </summary>  
   /// <param name="username">The username.</param>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns>Roles for the user.</returns>  
   IList<string> GetUserRolesAsyc(string username, CancellationToken cancellationToken = default(CancellationToken));  
   /// <summary>  
   /// Determines whether user is authenticated asynchronously.  
   /// </summary>  
   /// <param name="identity">The identity.</param>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns><c>true</c>if user is authenticated;<c>false</c>for unauthorized user.</returns>  
   Task<bool> IsAuthenticatedAsync(IIdentity identity, CancellationToken cancellationToken = default(CancellationToken));  
   /// <summary>  
   /// Determines whether user is authenticated asynchronously.  
   /// </summary>  
   /// <param name="username">The username.</param>  
   /// <param name="password">The password.</param>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns><c>true</c>if user is authenticated;<c>false</c>for unauthorized user.</returns>  
   Task<bool> IsAuthenticatedAsync(string username, string password, CancellationToken cancellationToken = default(CancellationToken));  
   /// <summary>  
   /// Gets Authenticated user claim asynchronous.  
   /// </summary>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns>Authenticated user claims.</returns>  
   Task<ClaimsIdentity> AuthenticatedUserClaimAsync(CancellationToken cancellationToken = default(CancellationToken));  
 }

It is just the basic structure, but can be modified based on need.

With this structure, we need to have a proper definition for each item and in that, we would using the added references.

 public sealed class ActiveDirectoryLdap  
   : IActiveDirectory<User>, IDisposable  // TODO: Actual model 

 {  
   //  
   /// <summary>  
   /// The principal context  
   /// </summary>  
   private readonly PrincipalContext PrincipalContext;  
   /// <summary>  
   /// Initializes a new instance of the <see cref="ActiveDirectoryLdap"/> class.  
   /// </summary>  
   /// <param name="principalContext">The principal context.</param>  
   public ActiveDirectoryLdap(PrincipalContext principalContext)  
   {  
     PrincipalContext = principalContext;  
   }  
   /// <summary>  
   /// Gets Authenticated user claim asynchronous.  
   /// </summary>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns>  
   /// Authenticated user claims.  
   /// </returns>  
   public Task<ClaimsIdentity> AuthenticatedUserClaimAsync(CancellationToken cancellationToken = default(CancellationToken))  
   {  
     var user = UserPrincipal.Current;  
     if (user != null)  
     {  
       using (var adUser = UserPrincipal.FindByIdentity(PrincipalContext, user.Name))  
       {  
         if (adUser != null)  
         {  
           return Task.FromResult(CreateClaims(adUser));  
         }  
       }  
     }  
     return Task.FromResult(new ClaimsIdentity());  
   }  
   /// <summary>  
   /// Creates the claims as Active Directory User.  
   /// </summary>  
   /// <param name="user">The user.</param>  
   /// <returns>Claims for user.</returns>  
   private ClaimsIdentity CreateClaims(UserPrincipal user)  
   {  
     var identity = new ClaimsIdentity();  
     if (user != null)  
     {  
       identity.AddClaims(new[]  
       {  
         new Claim(ClaimTypes.Name, user.Name),  
         new Claim(ClaimTypes.Email, user.EmailAddress),  
         new Claim(ClaimTypes.NameIdentifier, user.Name),  
         new Claim(ClaimTypes.Name, user.DisplayName),  
         new Claim(ClaimTypes.GivenName, user.GivenName)  
       });  
     }  
     return identity;  
   }  
   /// <summary>  
   /// Finds the user by identity asynchronously.  
   /// </summary>  
   /// <param name="userId">The user id.</param>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns>  
   /// User information.  
   /// </returns>  
   public Task<User> FindByIdentityAsync(string userId,  
     CancellationToken cancellationToken = default(CancellationToken))  
   {  
     var directoryUser = UserPrincipal.FindByIdentity(PrincipalContext, userId);  
     if (directoryUser != null)  
     {  
       return Task.FromResult(new User 
       {  
         //Id = userId,  
         UserName = userId,  
         Email = directoryUser.EmailAddress,  
         //FirstName = directoryUser.GivenName,  
         //LastName = directoryUser.Surname,  
         //DisplayName = directoryUser.Name  
       });  
     }  
     return Task.FromResult<User>(null);  
   }  
   /// <summary>  
   /// Gets the user roles asynchronously.  
   /// </summary>  
   /// <param name="username">The username.</param>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns>  
   /// Roles for the user.  
   /// </returns>  
   public IList<string> GetUserRolesAsyc(string username,  
     CancellationToken cancellationToken = default(CancellationToken))  
   {  
     var rols = new List<string>();  
     if (IsUserInGroup(username, "viewer"))  
     {  
       rols.Add("viewer");  
     }  
     if (IsUserInGroup(username, "admin"))  
     {  
       rols.Add("admin");  
     }  
     return rols;  
   }  
   /// <summary>  
   /// Determines whether user is authenticated asynchronously.  
   /// </summary>  
   /// <param name="identity">The identity.</param>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns>  
   ///  <c>true</c>if user is authenticated;<c>false</c>for unauthorized user.  
   /// </returns>  
   public Task<bool> IsAuthenticatedAsync(IIdentity identity,  
     CancellationToken cancellationToken = default(CancellationToken))  
   {  
     var userPrincipal = UserPrincipal.FindByIdentity(PrincipalContext,  
                         IdentityType.SamAccountName,  
                         identity.Name);  
     return Task.FromResult(userPrincipal != null);  
   }  
   /// <summary>  
   /// Determines whether user is authenticated asynchronously.  
   /// </summary>  
   /// <param name="username">The username.</param>  
   /// <param name="password">The password.</param>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns>  
   ///  <c>true</c>if user is authenticated;<c>false</c>for unauthorized user.  
   /// </returns>  
   public Task<bool> IsAuthenticatedAsync(string username, string password,  
     CancellationToken cancellationToken = default(CancellationToken))  
   {  
     return Task.FromResult(PrincipalContext.ValidateCredentials(username, password));  
   }  
   /// <summary>  
   /// Determines whether specified user is in group.  
   /// </summary>  
   /// <param name="user">The user.</param>  
   /// <param name="group">The group.</param>  
   /// <returns><c>true</c>if user is in group;<c>false</c>for not in a group.</returns>  
   private bool IsUserInGroup(string user, string group)  
   {  
     bool found = false;  
     try  
     {  
       var gropPrincipal = GroupPrincipal.FindByIdentity(PrincipalContext, group);  
       var userPrincipal = UserPrincipal.FindByIdentity(PrincipalContext, IdentityType.SamAccountName, user);  
       if (gropPrincipal != null)  
       {  
         found = gropPrincipal.GetMembers(true)  
           .Contains(userPrincipal);  
       }  
     }  
     catch (Exception)  
     {  
       found = false;  
     }  
     return found;  
   }  
   #region " IDisposable "  
   /// <summary>  
   /// Disposed  
   /// </summary>  
   private bool disposed = false;  
   /// <summary>  
   /// Performs application-defined tasks associated with freeing, releasing, or resetting unmanaged resources.  
   /// </summary>  
   public void Dispose()  
   {  
     Dispose(true);  
     GC.SuppressFinalize(this);  
   }  
   /// <summary>  
   /// Releases unmanaged and - optionally - managed resources  
   /// </summary>  
   /// <param name="disposing"><c>true</c> to release both managed and unmanaged resources.</param>  
   private void Dispose(bool disposing)  
   {  
     if (!disposed)  
     {  
       if (disposing)  
       {  
         PrincipalContext.Dispose();  
       }  
     }  
     this.disposed = true;  
   }  
   #endregion " IDisposable "


Ideally, whenever a user visits they should be automatically allowed to log in. So for that, we would be customizing UserManager to create our own function and call on the login page.

 public class MyProjectUserManager  
   : UserManager<User>  
 {  
   /// <summary>  
   ///   The active directory  
   /// </summary>  
   private readonly IActiveDirectory<User> ActiveDirectory;  
   /// <summary>  
   ///   Gets a flag indicating whether the Active Directory is supported.  
   /// </summary>  
   public readonly bool SupportsActiveDirectory;  
   /// <summary>  
   ///   Initializes a new instance of the <see cref="MyProjectUserManager" /> class.  
   /// </summary>  
   /// <param name="store">The store.</param>  
   /// <param name="optionsAccessor">The options accessor.</param>  
   /// <param name="passwordHasher">The password hasher.</param>  
   /// <param name="userValidators">The user validators.</param>  
   /// <param name="passwordValidators">The password validators.</param>  
   /// <param name="keyNormalizer">The key normalizer.</param>  
   /// <param name="errors">The errors.</param>  
   /// <param name="services">The services.</param>  
   /// <param name="logger">The logger.</param>  
   /// <param name="activeDirectory">The active directory.</param>  
   public MyProjectUserManager(IUserStore<User> store, IOptions<IdentityOptions> optionsAccessor,  
     IPasswordHasher<User> passwordHasher, IEnumerable<IUserValidator<User>> userValidators,  
     IEnumerable<IPasswordValidator<User>> passwordValidators, ILookupNormalizer keyNormalizer,  
     IdentityErrorDescriber errors, IServiceProvider services, ILogger<UserManager<User>> logger,  
     IActiveDirectory<User> activeDirectory)  
     : base(store, optionsAccessor, passwordHasher, userValidators, passwordValidators, keyNormalizer,  
       errors, services, logger)  
   {  
     ActiveDirectory = activeDirectory;  
     SupportsActiveDirectory = activeDirectory != null;  
   }  
   /// <summary>  
   ///   Gets the Active Directory user claims.  
   /// </summary>  
   /// <returns></returns>  
   private async Task<ClaimsIdentity> GetAdUserClaims()  
   {  
     if (SupportsActiveDirectory)  
     {  
       return await ActiveDirectory.AuthenticatedUserClaimAsync();  
     }  
     var identity = new ClaimsIdentity();  
     return await Task.FromResult(identity);  
   }  
   /// <summary>  
   ///   Gets or create Active Directory user entry and returns same.  
   /// </summary>  
   /// <returns></returns>  
   public async Task<User> GetOrCreateAdUser()  
   {  
     var adUserClaim = await GetAdUserClaims();  
     //if (adUserClaim.IsAuthenticated && adUserClaim.Claims.Any())  
     if (adUserClaim.Claims.Any())  
     {  
       var availableUser = await FindByNameAsync(adUserClaim.Name);  
       if (availableUser != null)  
       {  
         return await Task.FromResult(availableUser);  
       }  
       var usr = new User  
       {  
         UserName = adUserClaim.FindFirst(c => c.Type == ClaimTypes.NameIdentifier).Value,  
         Email = adUserClaim.FindFirst(c => c.Type == ClaimTypes.Email).Value  
       };  
       var result = await CreateAsync(usr);  
       if (result.Succeeded)  
       {  
         var claimsRes = await AddClaimsAsync(usr, adUserClaim.Claims);  
         if (claimsRes.Succeeded)  
         {  
           return await Task.FromResult(usr);  
         }  
       }  
     }  
     return await Task.FromResult(default(User));  
   }  
 }

The function GetOrCreateAdUser needs to be called on Login Get Action. This would create an entry into AspNet Identity Core. Please mark that it is being used to create a direct user in AspNet Identity without providing a password. It can be also customized to allow as external login.

The Get request for Login action.

 [HttpGet]  
 [AllowAnonymous]  
 public Task<IActionResult> Login(string returnUrl = null)  
 {  
   var adUser = await UserManager.GetOrCreateAdUser();  
   if (adUser != null)  
   {  
     //SignInManager.ExternalLoginSignInAsync()  
     await SignInManager.SignInAsync(adUser, false, CookieAuthenticationDefaults.AuthenticationScheme);  
     return RedirectToLocal(returnUrl);  
   }  
   ViewData["ReturnUrl"] = returnUrl;  
   return View();  
 }

That is all we need to do, the final part is to setup dependency injection for IActiveDirectory under Startup.cs.

 services.AddScoped<IActiveDirectory<User>>(provider =>  
 {  
   try  
   {  
     var adServerPath = Configuration.GetSection("AppSettings").Get<string>("LdapUrl"); // From configuration  
     return new ActiveDirectoryLdap(new PrincipalContext(ContextType.Domain, adServerPath));  
   }  
   catch (PrincipalServerDownException) // Avoid LDAP if not available.  
   {  
   }  
 });



Labels:

Comments

Post a Comment

Popular posts from this blog

Using Redis distributed cache in dotnet core with helper extension methods

Redis cache is out process cache provider for a distributed environment. It is popular in Azure Cloud solution, but it also has a standalone application to operate upon in case of small enterprises application. How to install Redis Cache on a local machine? Redis can be used as a local cache server too on our local machines. At first install, Chocolatey https://chocolatey.org/ , to make installation of Redis easy. Also, the version under Chocolatey supports more commands and compatible with Official Cache package from Microsoft. After Chocolatey installation hit choco install redis-64 . Once the installation is done, we can start the server by running redis-server . Distributed Cache package and registration dotnet core provides IDistributedCache interface which can be overrided with our own implementation. That is one of the beauties of dotnet core, having DI implementation at heart of framework. There is already nuget package available to override IDistributedCache i...
3 comments
Read more

Trim text in MVC Core through Model Binder

Trimming text can be done on client side codes, but I believe it is most suitable on MVC Model Binder since it would be at one place on infrastructure level which would be free from any manual intervention of developer. This would allow every post request to be processed and converted to a trimmed string. Let us start by creating Model binder using Microsoft.AspNetCore.Mvc.ModelBinding; using System; using System.Threading.Tasks; public class TrimmingModelBinder : IModelBinder { private readonly IModelBinder FallbackBinder; public TrimmingModelBinder(IModelBinder fallbackBinder) { FallbackBinder = fallbackBinder ?? throw new ArgumentNullException(nameof(fallbackBinder)); } public Task BindModelAsync(ModelBindingContext bindingContext) { if (bindingContext == null) { throw new ArgumentNullException(nameof(bindingContext)); } var valueProviderResult = bindingContext.ValueProvider.GetValue(bin...
2 comments
Read more

Kendo MVC Grid DataSourceRequest with AutoMapper - Advance

The actual process to make DataSourceRequest compatible with AutoMapper was explained in my previous post  Kendo MVC Grid DataSourceRequest with AutoMapper , where we had created custom model binder attribute and in that property names were changed as data models. In this post we will be looking into using AutoMapper's Queryable extension to retrieve the results based on selected columns. When  Mapper.Map<RoleViewModel>(data)  is called it retrieves all column values from table. The Queryable extension provides a way to retrieve only selected columns from table. In this particular case based on properties of  RoleViewModel . The previous approach that we implemented is perfect as far as this article ( 3 Tips for Using Telerik Data Access and AutoMapper ) is concern about performance where it states: While this functionality allows you avoid writing explicit projection in to your LINQ query it has the same fatal flaw as doing so - it prevents the qu...
Post a Comment
Read more

Getting started with Raspberry Pi

Raspberry Pi is a small, low powered motherboard contains 512 RAM, combined CPU and GPU. It has LAN, 2 USB, HDMI input, Audio Out, SD Card reader and S-Video connectors. We can have many Linux distribution OS on it. To configure, we just need to attach SD Card to it. SD Card could range from class 4 to class 10. In some cases Raspberry Pi could support less then class 4 cards too. It could be powered through mini USB mobile charger. Let's get started with installing OS on SD Card. There are various ways to install OS. Like we can download OSes through  http://www.raspberrypi.org/downloads  and follow the instructions given on it. There is something BerryBoot multi-boot loader through which we can have more then one OS on Raspberry Pi and boot OS according to our need.  http://www.berryterminal.com/doku.php/berryboot  instructions could be followed to install OS with very simple steps. You need to have internet connection on Raspberry Pi to install OS. It coul...
Post a Comment
Read more

OpenId Authentication with AspNet Identity Core

This is a very simple trick to make AspNet Identity work with OpenId Authentication. More of all both approach is completely separate to each other, there is no any connecting point. I am using  Microsoft.AspNetCore.Authentication.OpenIdConnect  package to configure but it should work with any other. Configuring under Startup.cs with IAppBuilder app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = CookieAuthenticationDefaults.AuthenticationScheme, LoginPath = new PathString("/Account/Login"), CookieName = "MyProjectName", }) .UseIdentity() .UseOpenIdConnectAuthentication(new OpenIdConnectOptions { ClientId = "<AzureAdClientId>", Authority = String.Format("https://login.microsoftonline.com/{0}", "<AzureAdTenant>"), ResponseType = OpenIdConnectResponseType.IdToken, PostLogoutRedirectUri = "<my website url>", ...
Post a Comment
Read more

Elegantly dealing with TimeZones in MVC Core / WebApi

In any new application handling TimeZone/DateTime is mostly least priority and generally, if someone is concerned then it would be handled by using DateTime.UtcNow on codes while creating current dates and converting incoming Date to UTC to save on servers. Basically, the process is followed by saving DateTime to UTC format in a database and keep converting data to native format based on user region or single region in the application's presentation layer. The above is tedious work and have to be followed religiously. If any developer misses out the manual conversion, then that area of code/view would not work. With newer frameworks, there are flexible ways to deal/intercept incoming or outgoing calls to simplify conversion of TimeZones. These are steps/process to achieve it. 1. Central code for storing user's state about TimeZone. Also, central code for conversion logic based on TimeZones. 2. Dependency injection for the above class to ...
4 comments
Read more

Centralized model validation both for MVC/WebApi and SPA client-side validation using FluentValidation

Validation is one of the crucial parts of any application. It has to validate on both client side and server side requests. What are target features or implementation from this article? Model validation for any given model. Centralized/One code for validation on both server-side and client-side. Automatic validation of model without writing any extra codes on/under actions for validation.  NO EXTRA/ANY codes on client-side to validate any form. Compatible with SPA. Can be compatible with any client-side validation framework/library. Like Angular Reactive form validation or any jquery validation libraries. Tools used in the implementation? FluentValidation : I feel DataAnnotation validation are excellent and simple to use, but in case of complex validation or writing any custom validations are always tricker and need to write a lot of codes to achieve whereas FluentValidations are simple even in case of complex validation. Generally, we need to validate inc...
2 comments
Read more

Interface based model binding to populate properties value automatically

Interface is great way to make consistency and re-useability of codes. In this tutorial, I am going to show the power of interface to populate view/domain models automatically and interchange values between models. Technologies or techniques used in this approach: - MVC. - Interface for models. - MVC model binder for associated model with interface. Through this model binder we will populate values. - T4 template to generate code to register model binder with all models associated with interface. - Generic extension method to interchange values. It might sounding bit complex to achieve small thing. Just hold on with me and see unfolding. This will result in easier maintenance and less repetitive code. First let's start with creation of Interface that need to be populate automatically. This interface would be implemented on models and values will be auto-populated on binder. /// <summary> /// Interface for storing entry related values /// </summar...
Post a Comment
Read more

C# Response files

Response files are similar to batch files, having some specific instruction. On execution they perform some predefined task based on instruction. Response file contains instruction to compile programs. If we have to build complex program through command line then response files are really helpful in development process. rsp is an extension for response files. By default, csc.rsp file exists under "Framework" folder Ex: C:\Windows\Microsoft.NET\Framework\v4.0.30319. csc.rsp contains long list of system references (dlls). Some contents under csc.rsp # Reference the common Framework libraries /r:Accessibility.dll /r:Microsoft.CSharp.dll /r:System.Configuration.dll /r:System.Configuration.Install.dll /r:System.Core.dll /r:System.Data.dll /r:System.Data.DataSetExtensions.dll /r:System.Data.Linq.dll .......... In same way we can have our own response file defined which might include some third party dll. Let's see an example. Suppose we have to create an appli...
Post a Comment
Read more

Implementing/Automating audit logs in Telerik Data Access

Audit logs can be tedious task if done manually, also developer might miss to update audit log implementation on certain level. The codes would be repeated on all places if not centralized. There are many approach available to maintain change history of model/table. Like having single history table and manage all changes of all models in same table. We may maintain in same table with some flags and JSON data for change list. We will look for maintaining history table based on each required data models with minimum effort and performance. To reduce code, I am going to use T4 to generate history models automatically based on original model. Also we are going to take care of Artificial type values. Step 1 - Create a custom attribute to mark model that history need to be maintained. /// <summary> /// Attribute to maintain history table /// </summary> [AttributeUsage(AttributeTargets.Class)] public class ManageHistoryAttribute : Attribute ...
Post a Comment
Read more